chore(e2e): Address issue with deleting roles/policies (#5646)

moduli · web-flow · commit 4304ec0c1c49 · 2025-04-15T11:31:12.000-04:00
On destroy, there was an issue with deleting IAM roles due to the following error: DeleteConflict: Cannot delete entity, must detach all policies first

This commit adds an option to force the policy detachment, preventing the error.
diff --git a/enos/modules/aws_boundary/iam.tf b/enos/modules/aws_boundary/iam.tf
@@ -32,8 +32,9 @@ data "aws_iam_policy_document" "boundary_profile" {
 }
 
 resource "aws_iam_role" "boundary_instance_role" {
-  name               = "boundary_instance_role-${random_string.cluster_id.result}"
-  assume_role_policy = data.aws_iam_policy_document.boundary_instance_role.json
+  name                  = "boundary_instance_role-${random_string.cluster_id.result}"
+  assume_role_policy    = data.aws_iam_policy_document.boundary_instance_role.json
+  force_detach_policies = true
 }
 
 resource "aws_iam_instance_profile" "boundary_profile" {
diff --git a/enos/modules/aws_vault/iam.tf b/enos/modules/aws_vault/iam.tf
@@ -36,9 +36,10 @@ data "aws_iam_policy_document" "vault_profile" {
 }
 
 resource "aws_iam_role" "vault_instance_role" {
-  count              = var.deploy ? 1 : 0
-  name               = "vault_instance_role-${random_string.cluster_id.result}"
-  assume_role_policy = data.aws_iam_policy_document.vault_instance_role.json
+  count                 = var.deploy ? 1 : 0
+  name                  = "vault_instance_role-${random_string.cluster_id.result}"
+  assume_role_policy    = data.aws_iam_policy_document.vault_instance_role.json
+  force_detach_policies = true
 }
 
 resource "aws_iam_instance_profile" "vault_profile" {
diff --git a/enos/modules/aws_worker/iam.tf b/enos/modules/aws_worker/iam.tf
@@ -58,8 +58,9 @@ data "aws_iam_policy_document" "combined_policy_document" {
 }
 
 resource "aws_iam_role" "boundary_instance_role" {
-  name               = "boundary_instance_role-${random_string.cluster_id.result}"
-  assume_role_policy = data.aws_iam_policy_document.boundary_instance_role.json
+  name                  = "boundary_instance_role-${random_string.cluster_id.result}"
+  assume_role_policy    = data.aws_iam_policy_document.boundary_instance_role.json
+  force_detach_policies = true
 }
 
 resource "aws_iam_instance_profile" "boundary_profile" {

Original file line number	Diff line number	Diff line change
`@@ -32,8 +32,9 @@ data "aws_iam_policy_document" "boundary_profile" {`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`resource "aws_iam_role" "boundary_instance_role" {`
`35`		`- name = "boundary_instance_role-${random_string.cluster_id.result}"`
`36`		`- assume_role_policy = data.aws_iam_policy_document.boundary_instance_role.json`
	`35`	`+ name = "boundary_instance_role-${random_string.cluster_id.result}"`
	`36`	`+ assume_role_policy = data.aws_iam_policy_document.boundary_instance_role.json`
	`37`	`+ force_detach_policies = true`
`37`	`38`	`}`
`38`	`39`
`39`	`40`	`resource "aws_iam_instance_profile" "boundary_profile" {`
Original file line number	Diff line number	Diff line change
`@@ -36,9 +36,10 @@ data "aws_iam_policy_document" "vault_profile" {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`resource "aws_iam_role" "vault_instance_role" {`
`39`		`- count = var.deploy ? 1 : 0`
`40`		`- name = "vault_instance_role-${random_string.cluster_id.result}"`
`41`		`- assume_role_policy = data.aws_iam_policy_document.vault_instance_role.json`
	`39`	`+ count = var.deploy ? 1 : 0`
	`40`	`+ name = "vault_instance_role-${random_string.cluster_id.result}"`
	`41`	`+ assume_role_policy = data.aws_iam_policy_document.vault_instance_role.json`
	`42`	`+ force_detach_policies = true`
`42`	`43`	`}`
`43`	`44`
`44`	`45`	`resource "aws_iam_instance_profile" "vault_profile" {`
Original file line number	Diff line number	Diff line change
`@@ -58,8 +58,9 @@ data "aws_iam_policy_document" "combined_policy_document" {`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`resource "aws_iam_role" "boundary_instance_role" {`
`61`		`- name = "boundary_instance_role-${random_string.cluster_id.result}"`
`62`		`- assume_role_policy = data.aws_iam_policy_document.boundary_instance_role.json`
	`61`	`+ name = "boundary_instance_role-${random_string.cluster_id.result}"`
	`62`	`+ assume_role_policy = data.aws_iam_policy_document.boundary_instance_role.json`
	`63`	`+ force_detach_policies = true`
`63`	`64`	`}`
`64`	`65`
`65`	`66`	`resource "aws_iam_instance_profile" "boundary_profile" {`